Certified in Risk and Information Systems Control (CRISC) — Question 1323

Which process is MOST effective to determine relevance of threats for risk scenarios?

Answer options

• A. Penetration testing
• B. Vulnerability assessment
• C. Root cause analysis
• D. Business impact analysis (BIA)

Correct answer: A

Explanation

Penetration testing is the most effective process as it simulates real-world attacks to identify vulnerabilities and assess their impact, directly linking threats to risk scenarios. Vulnerability assessments focus on identifying vulnerabilities without testing them in real-world scenarios, while root cause analysis is for identifying the source of problems, and business impact analysis (BIA) assesses the effects of disruptions rather than evaluating threats.